Perhaps this is an abuse of bundles, but we find it useful in our project to share an API token between maintainers for a shared user that maintains a public bundle. This provides a common location for anyone to see the patches that have been pulled into the review queue. Only folks with the API token can add to the bundle, but it appears that any account can remove patches from the bundle. Is that by design?